Actually, you would need this: <hostname>MYAGENT|MYAGENT1|MYAGENT2</hostname>
Kevin On Thu, Nov 2, 2017 at 10:26 AM, Stephen LuShing <smlush...@gmail.com> wrote: > Question > > The rule you provided > > <rule id="101234" level="5"> > <if_sid>5104</if_sid> > <hostname>MYAGENT</hostname> > <description>Ignore promisc mode events for specific > agent(s)</description> > </rule> > > If I have more than 1 server that giving this ,essage will the entry be > like > > <hostname>MYAGENT, MYAGENT1, MYAGENT2</hostname> > > or do I copy the same statement fordifferent servers. > > > Thanks in advance > > steve lushing > > On Tue, Oct 31, 2017 at 10:59 AM, dan (ddp) <ddp...@gmail.com> wrote: > >> On Tue, Oct 31, 2017 at 10:58 AM, Stephen LuShing <smlush...@gmail.com> >> wrote: >> > Does this child rule go on my main ossec server or on the agent side. - >> I >> > still learning OSSEC. >> > >> >> Rules go on the OSSEC manager. >> >> > Thanks in advance >> > >> > Steve Lushing >> > >> > On Mon, Oct 30, 2017 at 11:43 AM, Branch Family <branchbu...@gmail.com> >> > wrote: >> >> >> >> Stephen, >> >> >> >> If you want to granularly de-escalate or whitelist this alert, then >> create >> >> a child rule to rule 5104 in /var/ossec/etc/rules/local_rules.xml >> like this, >> >> somewhere in the sid range 100000-120000, with the agent name in >> question >> >> substituted for MYAGENT. >> >> >> >> <rule id="101234" level="5"> >> >> <if_sid>5104</if_sid> >> >> <hostname>MYAGENT</hostname> >> >> <description>Ignore promisc mode events for specific >> >> agent(s)</description> >> >> </rule> >> >> >> >> This would drop the severity level of the rule down to 5 for promisc >> >> events involving MYAGENT, hopefully low enough to be below your >> >> <email_alert_level> in ossec.conf so you don't get emailed about it. >> >> Actually 5104 is only a level 8, which would imply your >> <email_alert_level> >> >> is 8 or lower. I imagine that would email you about a heap of events >> of >> >> little alert value. You might want to consider bumping up that >> threshold. >> >> I personally would be deluged with emails even with an >> <email_alert_level> >> >> value of 10. >> >> >> >> Reegards, >> >> Kevin >> >> >> >> On Mon, Oct 30, 2017 at 11:17 AM, Stephen LuShing <smlush...@gmail.com >> > >> >> wrote: >> >>> >> >>> I do not want to block the whole event or this alert. Is there a way >> to >> >>> block or whitelist a specific message from this alert. On this server >> we are >> >>> getting the Interface entered in promiscuous(sniffing) mode for one >> server >> >>> and a specific network interface. >> >>> >> >>> Can this be done on the agent level. We are basically getting "Oct 27 >> >>> 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous mode" >> message - >> >>> we want to stop getting this as a email but still record it on the >> logs. Is >> >>> there a way to do this. >> >>> >> >>> Else we may have to filter this email. >> >>> >> >>> Stephen LuShing >> >>> >> >>> On Fri, Oct 27, 2017 at 9:09 PM, <alberto.rodrig...@wazuh.com> wrote: >> >>>> >> >>>> Hello Stephen >> >>>> >> >>>> I do not know if I understood well, but if you want to disable this >> >>>> alert, you only need to add the following block to your file >> local_rules.xml >> >>>> >> >>>> <rule id="5104" level="0" overwrite="yes"> >> >>>> <if_sid>5100</if_sid> >> >>>> <regex>Promiscuous mode enabled|</regex> >> >>>> <regex>device \S+ entered promiscuous mode</regex> >> >>>> <description>Interface entered in promiscuous(sniffing) >> >>>> mode.</description> >> >>>> <group>promisc,</group> >> >>>> </rule> >> >>>> >> >>>> This block will overwrite the official 5104 rule. >> >>>> If you want to do that, you have to be sure, because you are changing >> >>>> the level value of the event in order to dismiss it. Could be >> possible that >> >>>> other similar events (i.e. a malicious script which change the >> network >> >>>> interface to promiscuous mode), then the event will no be registered >> as an >> >>>> alert too. >> >>>> >> >>>> Hope it helps. >> >>>> Best regards, >> >>>> >> >>>> >> >>>> >> >>>> On Friday, October 27, 2017 at 7:11:26 AM UTC-7, Stephen LuShing >> wrote: >> >>>>> >> >>>>> We recently been getting the following message from OSSEC: >> >>>>> >> >>>>> >> >>>>> >> >>>>> OSSEC HIDS Notification. >> >>>>> >> >>>>> 2017 Oct 27 09:40:01 >> >>>>> >> >>>>> Received From: (lxbandt2) 10.8.6.31->/var/log/messages >> >>>>> >> >>>>> Rule: 5104 fired (level 8) -> "Interface entered in >> >>>>> promiscuous(sniffing) mode." >> >>>>> >> >>>>> Portion of the log(s): >> >>>>> >> >>>>> Oct 27 09:39:59 lxbandt2 kernel: device eth10 entered promiscuous >> mode >> >>>>> >> >>>>> --END OF NOTIFICATION >> >>>>> >> >>>>> Question >> >>>>> >> >>>>> >> >>>>> >> >>>>> Is there a way to ignore this message (other that are similar) as we >> >>>>> determine that this is not a issue for the server (It seems like >> Oracle is >> >>>>> running a process) >> >>>>> >> >>>>> >> >>>>> >> >>>>> If this is possible to whitelist or somehow have OSSEC ignore this >> >>>>> specific warning. If so – where do we code this. >> >>>>> >> >>>>> I am running OSSEC 2.8.1 on the client and server. >> >>>>> >> >>>>> >> >>>>> >> >>>>> Thanks in advance >> >>>>> >> >>>>> >> >>>>> >> >>>>> Stephen LuShing >> >>>>> >> >>>>> Hofstra University - Open System >> >>>>> >> >>>>> 125 Hofstra University >> >>>>> >> >>>>> McEwen Hall - Room 208 >> >>>>> >> >>>>> Hempstead, NY 11549 >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> send >> >>>> an email to ossec-list+unsubscr...@googlegroups.com. >> >>>> For more options, visit https://groups.google.com/d/optout. >> >>> >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> send an >> >>> email to ossec-list+unsubscr...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to ossec-list+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
